Perl$hop E-Commerce Script - Trust Boundary Input Parameter Injection













A while back I was playing around with Perl$hop, which if you are not
aware, is an e-commerce script developed by Waverider Systems.    XSS
(Cross Site Scripting), Directory Traversal, Code Execution, and more!  
Wow, that sure is a lot of vulnerabilities for one product.  It would
seem as if the developers had little to no regard for web application
security.  Which, were this not a free product, I might comment further
upon.  As this is not the case, allow me to continue.

One of the initial vulnerabilities I noticed when viewing the source
code to a product page was the existence of a hidden input field named
ITEM_PRICE.  Now we simply download the source to the page, edit the
hidden value of input field ITEM_PRICE to whatever we want, as an
example value=?0.01?, and save.  Reopen and purchase the item.  The
following checkout page will verify your success or lack thereof.  So we
can set our own price, fun stuff!

Next we examine perlshop.cgi and notice that the script does not
properly sanitize user input.  After a little variable injection we find
that the GET variable ?thispage? is vulnerable to a directory traversal
and potential code execution depending on the environment.  If you were
hoping for an exploit example, here it is:


And lastly, to save myself the trouble, I?ll just say that the GET
variable CUR, thispage, LANG, and most likely others contain cross site
scripting vulnerabilities.  XSS vulnerabilities are not nearly as
critical as the aforementioned directory traversal and code execution
vulnerabilities though they should still be taken seriously as session
fixation attempts could allow a hacker to hijack accounts. 

# [2009-08-04]